News & Updates

Latest updates from the BetterSEQTA+ team.

How DesQTA Protects Student Data

How DesQTA Protects Student Data

In an era where your student data is increasingly digital, security cannot be an optional feature. In DesQTA, we have architected our application from the ground up with a "Zero-Trust, Local-First" philosophy.

Today, we're sharing the technical details of how we secure your sessions, isolate your data, and ensure your privacy remains in your control.

AES-256 Encryption & Keychain Integration

Your Session ID (JSESSIONID) represents your authenticated SEQTA login session. If stored improperly, it is a vulnerability, DesQTA uses high quality encryption to ensure this token never sits unprotected on your disk.

The Encryption Standard

We utilize AES-256-GCM (Galois/Counter Mode) for all sensitive session storage. This is an authenticated encryption standard that provides both confidentiality (meaning no one can read it) and integrity (meaning no one can modify it).

OS-Native Key Management

Encryption is only as good as where you hide the key. We never hardcode keys or store them in plain text files. Instead DesQTA communicates directly with the Operating System's native secure storage:

  • Windows: Credential Manager

  • macOS: Keychain Services

  • Linux: Secret Service API / KWallet

Here’s how our Rust backend handles this process securely:

src-tauri/src/utils/session.rs


/// Encrypt data using AES-256-GCM with OS-managed keys
fn encrypt(data: &[u8]) -> Result<Vec<u8>, String> {
    // 1. Retrieve the unique, machine-specific key from the OS Keychain
    let mut key_bytes = Self::get_or_create_key()?;

    // 2. Initialize the cipher
    let unbound_key = UnboundKey::new(&AES_256_GCM, &key_bytes)
        .map_err(|e| format!("Failed to create encryption key: {:?}", e))?;

    // 3. Encrypt the session data in-place
    let mut in_out = data.to_vec();
    sealing_key
        .seal_in_place_append_tag(Aad::empty(), &mut in_out)?;

    // 4. CRITICAL: Zeroize key memory immediately after use
    key_bytes.zeroize();

    Ok(in_out)
}

By calling .zeroize(), we ensure that even if an attacker inspects the application's RAM, the encryption key has already been wiped from memory.

Strict Profile Isolation

Shared devices are common in schools. DesQTA implements Strict Profile Isolation to ensure that data never leaks between users.

Every user account is assigned a unique, cryptographically generated UUID. All data—timetables, files, and settings—are sandboxed into specific directories that are only accessible when that specific profile is authenticated and active.

src-tauri/src/utils/profiles.rs

pub fn get_or_create_profile(base_url: String, user_id: i32, ...) -> Result<Profile, String> {
    // Generates a unique, isolated path for this specific user
    let profile_dir = get_profile_dir(&profile.id);
    
    // Ensures physical separation of data on the filesystem
    fs::create_dir_all(&profile_dir)?;
    
    // ...
}

This means your sibling or classmate cannot accidentally (or intentionally) access your assignments or grades, even if they use the same computer.

High-Level Data Cleanup

Logging out should mean gone. Many web apps leave behind "ghost" cookies or cached data, DesQTA takes a serious approach to logout.

When you click "Logout," we trigger a multi-stage cleanup process:

  • Session Destruction: The active session file is deleted.

  • Key Removal: The encryption key is removed from the OS Keychain.

  • WebView Purge: We spawn a hidden, temporary window solely to execute a deep clean of the internal browser cache, cookies, and local storage.

src-tauri/src/auth/login.rs

pub async fn logout(app: tauri::AppHandle) -> bool {
    // 1. Deep clean the webview engine (cookies, cache, storage)
    if let Err(e) = clear_webview_data(app).await {
        println!("[AUTH] Warning: Failed to clear webview data: {}", e);
    }

    // 2. Destroy the encrypted session file and keys
    if let Ok(_) = netgrab::clear_session().await {
        true
    } else {
        false
    }
}

No "Home" Server

Perhaps the most important security feature is what we don't have.

DesQTA has no central server.

When you use DesQTA, the connection is strictly Client <-> School.

  • We do not relay your traffic through our servers.

  • We do not collect personalized analytics data, only one singular anonymous one.

  • We do not harvest your personal data.

Your logs (src-tauri/src/utils/logger.rs) are stored locally on your device for troubleshooting purposes only. They never leave your machine unless you manually export and send them to us for support.

Our Promise

We treat your school data with the same level of paranoia and respect that we would want for our own banking data. By combining Rust's memory safety, OS-level security integrations, and a strict local first architecture, DesQTA provides a safe place to view your SEQTA in the Desktop.

— The DesQTA Team

Aden Lindsay

Favorite kind of school announcement?

Expires: 1d 14h